The stuff that you want to know about but were afraid to ask.

Main menu

Tag Archives: Active Directory

Item level targeting is great and all, it works well for granular targeting. But with Item Level Targeting you are limited to only Active Directory components.

WMI or Windows Management Instrumentation consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification.

What if I told you you could set up policies that that allow you to target specific users, specific user names, specific hardware, and specific software. Even specific hardware types. You could deploy hardware specific drivers on your domain using WMI flitering.

It’s actually pretty slick, and far superior to anything that SNMP can offer. It is a very powerful tool set for a Sys Aadmin. The level of control for WMI filtering is absolutely amazing and robust. But is it secure? Well that depends, it can be, if you follow best practices there is no reason it shouldn’t be.

WMI filters are similar to SQL queries, for example…

select Version, ProductType from Win32_OperatingSystem where
((Version like "10%") and (ProductType = 1))

The above version 10 followed by the wildcard character will select Windows 10 and Server 2016 operating system versions. ProductType = 1 means the desktop OS version, where as type of 3 would mean the server OS version. Finally ProductType = 2 means that the machine is a Domain Controller.

select Version, ProductType from Win32_OperatingSystem where
((Version like "6.1%") and (ProductType = 1))

The above is for Windows 7.

select Version, ProductType from Win32_OperatingSystem where
((Version like "6.3%") and (ProductType = 3))

Finally the last one is Server 2012 R2.

Note that the name space that this is available in, is root\CIMv2.

If you want to find and query WMI you can use the official tool available from Microsoft, it’s called The WMI Code Creator tool and it’s available here. If the link is dead just search for it. An alternative to this is the NirSoft SimpleWMIView available here, and Wmi Explorer available here.

WMI Code Creator looks something like the following. It allows you to browse all the WMI possibilities and search for property values of WMI classes. For obvious reasons you will need the .NET framework installed on your machine.

Creating a WMI Filter is simple. Open up your Group Policy Management application, expand your domain and at the bottom you should have a folder named WMI Filters. In this folder you can also see a collection of WMI Filters and which policies they are applied to.

Right click this folder and select New…

Give your Filter a name and Description, then click Add.

Finish by clicking OK and Save. You have now created a WMI Filter for Server 2016 all versions.

Now you need to apply the filter to a policy. Locate a policy in your Manager, and in the right pane on the bottom under WMI Filtering now you can select the filter you just created.

That’s pretty much it, you can play around with the WMI Code Creator and see that you can do some very granular filtering with this. You can create filters based on OS, CPU, Disk drives anything that you can think of. This is a very powerful tool and if you’re familiar with SQL queries you should have no trouble coming up with some complex filters.

Specific Host Name:

root\CIMV2 – Win32_ComputerSystem – DNSHostName = ‘YourHostname’

As a side note if you are a C# .NET developer you can also benefit from WMI using the System.Management namespaces in Visual Studio. You will need to add a reference to it in your Visual Studio project. This allows you to query Microsoft Operating System hardware and retrieve statistics from said machine.

As of May 13 2014 it is no longer possible to create local accounts and assign passwords to them on a domain computer via Group Policy. This was a handy feature when it existed, however Microsoft found that a vulnerability in Group Policy Preferences could allow elevation of privileges.

If you would like further reading on this head over to read about MS14-025.

Here is the KB2962486 article if you would like even more reading on this.

But the basics of it are that Microsoft dropped the ball and the key that was used to encrypt the passwords via Group Policy was published in one of their articles. Total newbs, I hope the incompetent responsible for this got fired for that one.

Either way you can no longer create local accounts on a domain attached computer and set their passwords via group policy. There is a work around but it is no longer fully automated via GPO.

It is a two step process now, and you use the “update” setting instead of “create” in GPO. You are no longer able to create local account you can however “Update” them. The update feature will create a new account, but it will not set the password. You can use PsTools to set the passwords remotely. Inside the PsTool suite is an executable called PsPasswd.exe that can change local and domian passwords alike.

One thing to note as of this writing is that PsTools, v1.23 of the PsPasswd executable is broken. You will need v1.22 of PsPasswd to accomplish this. It’s not easy to find the v1.22 of the exec but I managed to find a link on the net that works and I’ve shared it via Gdrive.

This works on Windows 7, as for newer versions of Windows I can not comment. I will never move my domain computers to Windows 8+.

Some anti-virus scanners report that one or more of the tools are infected with a “remote admin” virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they can trigger virus notifications. I also assure you I have not altered this zip file in any shape or form, that is beyond me.

computer Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.

@file Run the command on each computer listed in the text file specified.

-u Specifies optional user name for login to remote computer.

-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.

Username Specifies name of account for password change.

NewPassword New password. If ommitted a NULL password is applied.

For example if you wanted to change a local Admin password on a domain computer named COMPU-DEV1, it would go something like this:

If you wanted to change the local Admin password on all the computers on the Domain you can execute the following command:

pspasswd \\* -u domain\DomainAdmin -p Password Administrator Password

Alternatively you can do this with a text file. The file needs to contain a single computer name on each line. You can export such file from Active Directory, do this by right clicking the appropriate OU and select Export List… select the Text (Tab Delimited) .txt file format. You’ll have to remove the first line out of the file, and any other columns that aren’t the computer name.

Let’s talk Active Directory again, AD for short. In my opinion is an IT administrators best friend. It has the potential to eliminate the need for log on scripts, it can simplify software deployments to multiple computers, improve security, and eliminate malware. If you’re an IT admin in a small shop or new to the Admin game and haven’t really employed AD on your network beside the default domain policy, I suggest you have a look into it.

What does Security Filtering and Item Level Targeting do exactly? Well they allow you to apply Group Policies to individual users, computers or groups.

Security Filtering is a basic way of filtering out to which group the policy is applied to. For instance, when one creates a new Group Policy Object in Active Directory, by default the GPO applies to Authenticated Users. So any user that logs on to the domain or rather is authenticated by the domain, and exists in the OU where the GPO resides, will have said policy applied when they log in. Now, let’s say you want to limit this to a specific set of users. Perhaps someone in the Accounting department, they might have a specific drive or access to a drive that you want them to have mapped when they log on. This is easy to accomplish with Security Filtering. Please be aware that Security Filtering is not the only way to restrict or grant access to specific network resources, not at all. There are several ways to approach this, some more complicated than others, this is merely just one of those ways.

The benefit of Security Filtering is that you will omit any users, security groups, or computers that are not in this list. It also gives you a somewhat greater control, such as allowing you to set the read write permissions on each group in the policy. Security Filtering is a top level filter, during log on AD will check to see if you are part of said resource and if you are not no further checks will be performed against this policy. The draw back is that no further checks will be performed against this policy, so for for instance if you have a policy that maps various network drives to people in different departments and the drives differ per department you’d have to create new policies for each department. Note: Some people prefer to have separate policies per department, and organize theirs just like this. This method works well for large organizations that need to visually separate policies.

Insert Item level Targeting, it is a nested form of filtering within a specific Active Directory policy. This is where you can have your entire filtering done inside the policy. Perfect for your smaller offices or filtering resources per department. On my network I use Item Level targeting to target specific groups which users are members of to map special drives on their computers.

I don’t have that many users that I support and this is a viable solution to me. For larger scale organizations and to be more transparent with your policies use Security Filtering.

There are many ways to filter groups, users, and computer these are just a couple that are useful.

Side Note: You can also use WMI filters to filter group policies based on specific hardware resources. WMI filters need to be created in the Group Policy Management editor. WMI filters can be created and applied a GPO based on computer attributes, such as the OS, free space, brand, or model. This is perfect if you want to deploy drivers and software to specific machines on your network or range of machines without wanting to add them to a specific group.

This information can both apply to home and business users. I want to create detailed instructions so that the most basic of users can create and deploy the image. For home users you can create a recovery image in case something goes wrong with your PC. For business users this can speed up deployment time to multiple PC on your network. Either way you can have your desktop recovered in a matter of minutes with a full suite of software, updates, and preferences. You can design the image to be very broad covering a wide range of hardware or very specific and target a specific set of hardware. The choice is yours. Specific set of hardware would be more geared for the home user. I will cover Windows 7 deployment. From here on in all references made to windows assume we are talking about windows 7.

The following software and hardware is necessary to create a custom image. A Windows machine with 100GB of free space, a 4GB flash drive, Windows OS disc, Windows AIK, Oracle VM VirtualBox, DISM GUI, Virtual Clone Drive, latest driver pack from DriverPack.net, hardware drivers for your specific hardware, and another flash drive or usb hard drive size will depend on your image size. You could use CDs or DVDs for booting the software but as of Windows 7 I find that flash drives are more reliable than optical media and less prone to installation errors. Having said this you will need to create a CD or DVD WinPE image so you can image the Virtual Box Operating System, as Virtual Box does not allow booting from flash drive. But we’ll get to that later.

The windows machine will be used to create the initial image for the deployment and install the supporting applications like AIK, VirtualBox, DISM GUI, Clone Drive, and slip stream all the necessary drivers for your hardware. The driver pack will be used for the WinPE image that will be created with Windows AIK. This will ensure that WinPE is compatible with most hardware out there. WinPE is used to image the actual hardware and stands for Windows Preinstallation Environment, it is small and used as a forefront for deploying the wim images. We will be creating a x86 version of WinPE as I found that the x64 version has problems with detecting some of the hardware, this also means that when downloading the mass storage drivers and network drivers from DirverPack.net download the x86 versions. Your actual OS image architecture will depend on your installation disc for your hardware.

Windows AIK is a 1.7GB download so get ready for a long wait if your internet connection is a little slower. Once you have everything downloaded you can proceed and install Virtual Clone Drive (VCD). VCD is used to mount iso files, it creates a virtual CD/DVD drive and allows you to install the iso without having to burn in onto a CD/DVD. Mount the Windows AIK to VCD, it’s easy right click the iso and select Mount (Virtual CloneDrive …). In my case VCD assigned itself to drive letter E.

Open up the drive and run StartCD.exe (if autorun doesn’t kick in), then proceed with the Windows AIK Setup. Agree to the license terms, select your installation location, and let it install. It is recommended to have an up to date .NET framework installed. Once AIK install you can unmount the image. Start the Windows AIK Deployment Tools Command Prompt as Administrator.

WinPE Creation

Here we’ll begin to create the WinPE disc for image capture and creation. More info on creating the WinPE environment. In the command prompt type in the following command:

copype.cmd x86 c:\winpe

Where x86 is the architecture of WinPE and c:\winpe is the detination where it will be copied to. Then you run a command to copy and rename the winpe.wim file.

copy c:\winpe\winpe.wim c:\winpe\ISO\sources\boot.wim

Then you need to add imagex.exe to the WinPE image, this executable is responsible for capturing and deploying wim windows images.

Note the quotes around the source path. These are necessary due to the space in the directory structure. Next you will need to create a bootable flash drive. Open up a new command window as administrator.

In the new command window open up Disk Partition manager by typing…

diskpart

Insert your flash drive in to a USB port. In the next few steps we will format the flash drive and make it bootable. Then copy the contents of WinPE to the flash drive.

list disk

This command lists all the disks attached to the computer.

select disk 6

This selects the 6th disk which in this case is the flash drive

create partition primary or create part primary

Creates a primary partion.

select partition 1 or select part 1

Selects the partition you just created.

active

This marks the partition with focus as active. This informs the basic input/output system (BIOS) or Extensible Firmware Interface (EFI) that the partition or volume is a valid system partition or system volume.

format quick fs=fat32

Quick formats the flash drive partion as fat32 file system.

assign letter= f

This command is not really necessary and you can skip it, but you’ll need to unplug and plug the flash drive back into the computer. Alternatively you can use it to assign a drive letter to the flash drive so it appears in Windows.

exit

Exits the disk partition manager. You can also use the above steps to create bootable flash drives in Windows at any point and time.

Before we copy the contents of the WinPE iso directory to the flash drive we need to slip stream the mass storage and network drivers in to the WinPE wim. Remember to pick the appropriate architecture and operating system driver pack from DriverPacks.net. The file we need to tackle is located in C:\winpe\ISO\sources it is the boot.wim file we copied earlier. Create a temporary (C:\Temp) directory. We will mount the wim file with DISM GUI there, the application mounts the contents to a directory where you can make changes and then later commit them to the wim image file. Without DISM GUI we would be doing this via command line, you can thank Mike Celone for this neat little app. One thing to note about Driver Packs, they can only be downloaded via Bit Torrent, you can use the Opera browser if you would like as it has a built in Bit Torrent client.

Launch the application with elevated permissions, as administrator. Choose the wim file located in the sources folder, and select the mount location. Once you selected the file and mount location click Mount WIM. DISM is Running… may take a few minutes it all depends on the size of the wim file. DISM Output should come back wiht “The operation completed successfully.”

Click the “Driver Management” tab. Make sure the Force Unsigned and Recursive options are checked. Then proceed to click Add Drivers. DISM is Running. Please wait.. again depending on how many drivers there are this might take a few minutes, be patient. If you have specific hardware drivers you want to use add them here as well. Remember we’re using x86 version of WinPE so you will need to use the 32 bit drivers.

Once this is done click on the “Mount Control” tab and click Dismount WIM. It will ask you if you want to commit chages, click Yes. Again we play the waiting game as DISM GUI does it’s thing. Once complete you can close DISM GUI, now we need to copy the contents of the ISO folder to the flash drive. Go back to the command line window either will do. And type in the following.

xcopy C:\winpe\iso\*.* /e F:\

Where f: is the drive letter of the flash drive. Once this process completes we’re done creating the universal WinPE image. You can eject and pull the flash drive from the computer and test it by booting it in another computer. If you followed the instructions you should be good to go. While we’re here we should probably also make an iso image of the WinPE boot disk, this will be later used to capture and deploy the Windows OS image in Virtual Box. A Virtual Box instance can not be booted from a flash drive, so the iso will need to be burned to a CD or mounted in VCD and then booted in the VM. I prefer the latter. In order to create the iso in the Deployment Tools Command Prompt type in the following.

oscdimg -n -bC:\winpe\Etfsboot.com C:\winpe\ISO C:\winpe\winpe.iso

Oscdimg is a command-line tool for creating an image file (.iso) of a customized 32-bit or 64-bit version of Windows PE. -n option enables long file names, and the -b option specifies the location of the El Torito boot sector file. Do not use any spaces. CD-ROMs usually have their own structure of boot sectors, for IBM PC compatible systems this is subject to El Torito specifications. Here is the oscdimg Technet article if you’d like more info in it.

Windows OS image creation

Go to New, type in a name for your Virtual Machine or VM, click Next. Allocate memory to the VM, you want minimum of 512MB. I would recommend at least 2GB or 2048MB, but this all depends on the capability and resources of your host machine. My desktop has 16GB of RAM so freeing up 2GB for the VM is a non issue. But it’s all hardware dependant. I’d say if you have at least 4GB or RAM give the VM 2 of that. If you this, do not run too many applications on your host machine while running the VM. Click Next after you allocated RAM to the VM. Select Create a virtual hard drive now, click Create. For Hard drive file type, I selected VMDK. The reason I selected this is because this is the same extension as used by VM Ware, so potentially I could copy this machine to a VM server if I wanted to. Click Next after you selected the Hard Drive file type, select Dynamically allocated and click Next. If you select Fixed Size it take a while to create the Virtual Disk, this is why I selected Dynamic.For File location and size, I selected the default of 25GB, to save your VDMK in a specific location click the folder icon on the right. Click Create.

Your VM is now created, all you need to do now is install the Operating System.

Insert the Operating System disc into your CD rom drive or mount the iso in CloneDrive. To select the Virtual CloneDrive(VCD) highlight the VM in Virtual Box and click settings, Storage, and add an IDE controller, click Leave Empty. Highlight the Empty controller, and under the Attributes click the disc icon and select the drive letter that corresponds to the Virtual Disc. In my case it’s E.

Click OK. and Start the VM. Click the VM window and start pressing F12 so you can choose the device from which to boot from. Select c for CD-ROM. Boot into the installation menu and start installing Windows in your VM. Install the operating system, all the windows updates and any other applications you would like this image to have. When creating a user during this installation, create a generic user such as User, Admin, or PC. Once you sysprep the OS you will not be able to create that specific User ID again. So if in the final deployed image you want to a User ID named Admin do not use that during the initial VM OS installation.

As a system admin I install all my software over the network using PDQ Deploy, and use Group Policy to push any other mandatory software, drive mappings, pirnters, etc. So installing software on the OS would be more geared towards a home user, or a small business. I mostly use the image to deploy windows with current updates and such.

Either way this Windows installation, and updates will probably take a while.

Once you see the above and you’ve installed all the applications you desire it’s time to take a snapshot of your image. The snapshot allows you to revert the VM to a previous state. We want to do this right before running sysprep, as sysprep can only be run a limited amount of times on an operating system. To do this, in your Oracle VM VirtualBox Manager on the top right click Snapshots, this will open the snapshots pane, then click the camera button and it will take a snapshot of the operating system state. I do several snapshots just in case I screw something up during installation. I take one right after the Windws updates, a bare OS install, and one prior to running sysprep with all the custom software installed. To restore a snapshot the VM needs to be shut down.

A restore is handy when you want to go back and update your image. Every quarter (3 months) I go back to the image and add new updates and software revisions if necessary. This is part of my Disaster Recovery plan. This prevents me from running the lengthy process of Windows updates each time, and with multiple snapshots, I have varying restore points.

The next step is to run sysprep. Sysprep is a system preperation tool which strips the operating system of hardware specific drivers preventing compatibility issues when installing the OS on different hardware. If you’ve ever setup a desktop computer from Dell this is almost exactly what it does. Don’t worry after we create the image we will slip stream the appropriate hardware drivers into it with DISM GUI. Sysprep is located in C:\Windows\System32\sysprep\sysprep.exe. Double click on the executable file. Select Enter System Out-of-Box Experience (OOBE), check Generalize, and select Shutdown.

Click OK, this will run a cleanup and generalize phase and then shutdown your VM.

Capturing the Windows Image

Once the VM is shut down mount the winpe.iso we created earlier in Virtual CloneDrive. Also make sure that the VCD is available to the Virtual Machine, you can double check by highlighting the VM, clicking Settings and selecting Storage. Under Controller: IDE you should see Host Drive ‘E:’, where E: should reflect the drive letter corresponding to your computers VCD drive letter.

Now this is important, next you want to boot that VM you just sysprepped and shutdown. However you want to boot it to the mounted WinPE iso, CD-Rom in the VM. One thing to consider is that you will need to save the Windows image somewhere, and it can not be in the VM, so you have options you can either save it to your host machine bu mounting a shared folder in the VM in WinPE via the net use command, or attach a usb drive to the VM via Settings, USB, and clicking the add USB Device icon.

Start and focus on the VM window, keep pressing F12 while booting to bring up the boot menu. Select option c0 which is cd-rom to boot the mounted WinPE image.

The above image is an indication that WinPE is loading. Once booted you’ll be greeted with a dos command prompt window, generally X:\windows\system32>. Next you’ll need to figure out which drive is where and what drive letters are assigned to them. Usually I just go through the alphabet with the command a:, b:, c:…. etc. In my instance the USB did not come up in the VM, typical, it rarely works. So we have to do this the hard way, mount a network drive in WinPE(VM) and send the image to the Host PC. This is why we slip streamed LAN and Storage drivers into the WinPE image earlier. I had 3 drives I found c:, d:, e:, and x:. C is system reserved, D is the Sysprepped OS, E is the WinPE cd-rom, and X: is the drive assigned to the current WinPE instance. Note these drives and what is on them.

First let’s make sure the VM has an IP, run the command ipconfig to confirm that it does. If you get a IPv4 address that doesn’t start with 0.x.x.x or 169.x.x.x you’re good to go. If you don’t get an IP you need to find the right LAN drivers and slip stream them into the WinPE wim, and recreate the iso.

Next ping your host computer IP make sure the VM can talk to the computer it is running on. Run ipconfig on your host computer to get it’s IP address and then ping that ip from your VM, for example my host pc IP was 10.50.70.104, so in the VM i ran the command

ping 10.50.70.104

and the pings were succesful. This means the two machines can talk to each other.

Next create a folder called IMAGE on the VM host machine in the root of c:, C:\IMAGE. Right click the folder, select properties, select the Sharing tab, and click Share. In the File Sharing window you will need type in Everyone and click Add or press enter. Under Permission Level give Everyone Read/Write permissions and click Share. If you are not able to share the folder you will need to enable File and Printer sharing in windows go here to see how it’s done. Remember, sharing is caring.

Now we will mount this shared folder in the VM that is running WinPE using the net use command. Context is as follows ‘net use <drive letter> \\server\share’, in my case I used the command

net use z: \\10.50.70.104\image

With this command I mounted the shared folder image on machine with IP 10.50.70.104, to a Z drive in WinPE. In my case I was also prompted for a user name and password, the reason for this is because I’m on a domain, and my domain security settings require a valid domain user. The user id was preceeded by the domain, domain\userid, and a second prompt prompted me for a password.

Time to capture the Windows image. If you’re not already switch to the X drive by typing in x:. I used the following command to capture the windows image

e:\imagex.exe /capture d:\ z:\laptopIMG.wim “Laptop Image”

This will start the image capture process.

e:\imagex.exe is the location of the imagex program on the cd rom. This program is used for capturing and deploying images.

/capture a command line switch that tells imagex to capture an image.

d:\ this is the swtich for the source of the image. The drive which had the sysprepped windows 7 OS.

z:\laptopIMG.wim switch for the destination and name of the image file. Z: network drive we mounted earlier which points to the VM host machine.

“Laptop Image” a label switch given to the image file that will be created.

That’s pretty much most of the hard work. You’re almost done. All that is left is to wait for the image to finish being captured. Once the image is captured open up up DISM GUI and mount the wim file, same as before, this time we will add the hardware specific drivers though, LAN, Sound, Mouse, Keyboard, Chipset… etc. Grab the hardware drivers from the manufacturers website. Use the instructions above. If you have various hardware setups on your network or at home grab all the drivers necessary and slip stream them all into the wim file. One thing to note is that slip streaming Video drivers will not work. I’m ok with that as they change so often it is a non issue with me. You could always place an executable in a folder of the Windows 7 image. Unmount and commit the Windows image changes in DISM GUI. Your image is complete, all that is left to do is deploy it to a machine.

Windows Image deployment

To deploy the image plug in the WinPE flash drive and the USB drive that has the windows wim file on it, into a computer. Change the boot priority on the PC so it boots from the WinPE flash drive. Once in WinPE you need to locate all the drives and distinguish them, write down which is which. Then we need to enter disk partiton manager again, we will erase the primary drive in the machine, and leave the flash drive and USB drive alone. Enter the following commands in the command prompt:

Now let’s image the freshly formatted drive with your Windows image. Assuming that the WinPE flash drive is on drive F: and the USB drive with the Windows image on drive G:, run the following command.

f:\imagex.exe /apply g:\laptopIMG.wim 1 C:

f:\imagex.exe – is the image management application located on the WinPE flash drive

/apply – is the switch to tell the application to apply a wim image

g:\laptopIMG.wim – is the location of the image file in the USB drive

1– is the index of the wim, a wim can house different version of itself

C: – is the destination that the image is to be applied to

Update: Forgot to mention an important step in deploying the image. Prior to restarting the computer after imaging, the bcd boot command needs to be ran. BCDboot is used to initialize the Boot Configuration Data (BCD) store and copy boot environment files to the system partition. For example, at a command prompt, type the following.

C:\windows\system32\bcdboot C:\windows (for a x86 OS)

C:\windows\SysWOW64\bcdboot C:\windows (for a x64 OS)For the 64 bit version of bcdboot the command has to be run from the SysWOW64 directory otherwise it will not work.

Wait for it to finish, power down the computer, and remove the flash and USB drive. Then boot up the computer and go through the setup process such as creating a User, setting the time zone, adding to the domain… etc.